Cryptowall 4.0

All posts tagged Cryptowall 4.0

Cryptowall has been updated, redesigned ransom note, new filenames, and now encrypts a file’s name along with its data. So they now congratulate the victims!

It still uses:

RC4 for comms with the Command & Control Servers

Create a victim’s unique identifier from the MD5 hash of the computer’s computer name, volume serial number, processor information, and OS version

Inject itself into Explorer.exe and disable System Restore, delete all Shadow Volume Copies, and use bcdedit to turn off Windows Startup Repair

Then inject itself into svchost.exe and encrypt the data on all local drives, removable drives, and mapped network drives

Once encrypting is completed against the files it will launch the ransom notes that explain what happened and how to purchase the decrypter

Cryptowall Note on its new Help_File: ‘CryptoWall Project is not malicious and is not intended to harm a person and his/her information data.
The project is conducted for the sole purpose of instruction in the field of information security, as well as certification of antivirus products for their suitability for data protection. Together we make the Internet a better and safer place.’
Seems Cryptowall is being sent through mail only at this particular time and installs via a .js file in a resume.zip attachment.

Susan_resume.zip

Myriam_resume_8347.zip

So %femalename%_resume_XXXX.zip

Update

This again will soon escalate to Exploit Kits being used as a means to drop the new Cryptowall 4.0 and without a doubt be will contained within the next Angular Exploit Kit version.